<img src="https://secure.leadforensics.com/32105.png" style="display:none;">

New OpenSSL Bug Exposed

On the 10th of July a new bug was announced in the OpenSSL library. This is the library used by many websites and tools to manage TLS/SSL.

How does it Affect My1Login?

Before we go onto discuss the bug, how it works and what it does, it's important to say that it does not affect My1Login services or our customers.

What is it?

Unlike Heartbleed, which affected servers, this new bug mainly affects end-user products (such as web-browsers, VPN tools, etc.). It's potentially very serious in that it allows a website to present an invalid SSL certificate, but to have the end-user application treat it as though it were valid - so an SSL website can be easily impersonated. 

 openssl-bug

 Credit: GitHub

What do I need to do?

With regards to your My1Login account, nothing. It is not affected. With regards to general web usage, the actual reach of the new bug is limited as most of the major browsers do not use OpenSSL and are therefore not affected. Additionally, the bug has been caught quickly by OpenSSL. While it was present in pre-release code since January, the affected code has only been officially released by OpenSSL for the past month. Therefore very few applications are likely to have been released that contain it.

Google Chrome, Mozilla Firefox, IE and iOS all use Boring SSL and not OpenSSL. As a result if you use these browsers you are unnafected. Android uses both Boring SSL and OpenSSL, depending on the operating system version. However, individual apps on mobile devices typically use their own code for verifying certificates. This means any individual app could potentially be vulnerable. To mitigate this risk, as it may take several weeks for the fixes to be rolled out by all vendors, our advice is to rely on browsers that are not vulnerable to the bug over individual apps.

Further information can be obtained from OpenSSL themselves here.

 

Back to Blog

Related Articles

My1Login Named Top Performer in Identity & Access Management for Customer Success

My1Login have been named a Top Performer in FeaturedCustomers’ Spring 2022 Identity & Access Management Software Customer Success Report.FeaturedCustomers is a...

My1Login named Winner at the 2021 Cloud Excellence Awards

My1Login is delighted to announce that it has been named the Cloud Security Product of the Year for Identity, Access and Authentication at the 2021 Cloud...

My1Login Wins Best Identity Management Solution 2022

My1Login wins Best Identity Management Solution at the SC Awards Europe 2022!